CVE-2026-43975
Path Traversal in Apache Wicket FolderUploadsFileManager
Publication date: 2026-05-06
Last updated on: 2026-05-06
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | wicket | From 10.0.0 (inc) to 10.9.0 (exc) |
| apache | wicket | From 8.0.0 (inc) to 8.17.0 (inc) |
| apache | wicket | From 9.0.0 (inc) to 9.22.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to read and write arbitrary files on the server, potentially exposing sensitive data or enabling unauthorized modifications.
Such unauthorized access and data exposure could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over personal and sensitive information.
Exploitation of this vulnerability might result in breaches of confidentiality, integrity, and availability of data, thereby violating regulatory requirements for data security and privacy.
Can you explain this vulnerability to me?
CVE-2026-43975 is a critical path traversal vulnerability in Apache Wicket's FolderUploadsFileManager component. The vulnerability occurs because the parameters uploadFieldId and clientFileName are not properly validated or sanitized before being used to construct file paths.
This flaw allows an unauthenticated attacker to write arbitrary files outside the intended upload directory or read files from arbitrary locations on the server.
The issue affects Apache Wicket versions from 8.0.0 through 8.17.0, 9.0.0 through 9.22.0, and 10.0.0 through 10.8.0. It was introduced when the FolderUploadsFileManager was added.
A fix was implemented by sanitizing file paths and improving error handling, and users are recommended to upgrade to version 10.9.0 or later.
How can this vulnerability impact me? :
This vulnerability can have severe impacts because it allows unauthenticated attackers to perform path traversal attacks.
- Attackers can write arbitrary files outside the intended upload directory, potentially leading to remote code execution.
- Attackers can read sensitive files from arbitrary locations on the server, exposing confidential information.
- It may allow attackers to tamper with server configuration files.
- The vulnerability can also lead to denial of service conditions.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, users are recommended to upgrade Apache Wicket to version 10.9.0 or later, where the issue has been fixed by sanitizing file paths and improving error handling.